Merge pull request #14879 from geoffw0/contentsof

Swift: "contentsOf" sources

Author: geoffw0

swift/ql/lib/change-notes/2023-11-22-contentsof.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added imprecise flow sources matching initializers such as `init(contentsOfFile:)`.

swift/ql/lib/codeql/swift/frameworks/Frameworks.qll

@@ -8,3 +8,4 @@ private import SQL.SQL
 private import StandardLibrary.StandardLibrary
 private import UIKit.UIKit
 private import Xml.Xml
+private import Heuristic

swift/ql/lib/codeql/swift/frameworks/Heuristic.qll

@@ -0,0 +1,53 @@
+/**
+ * Provides heuristic models that match taint sources and flow through unknown
+ * classes and libraries.
+ */
+
+import swift
+private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.dataflow.FlowSources
+
+/**
+ * An initializer call `ce` that has a "contentsOf" argument, along with a
+ * guess `isRemote` as to whether it is the contents of a remote source. For
+ * example:
+ * ```
+ * let myObject = MyClass(contentsOf: url) // isRemote = true
+ * let myObject = MyClass(contentsOfFile: "foo.txt") // isRemote = false
+ * ```
+ */
+private predicate contentsOfInitializer(InitializerCallExpr ce, boolean isRemote) {
+  exists(Argument arg |
+    ce.getAnArgument() = arg and
+    arg.getLabel() = ["contentsOf", "contentsOfFile", "contentsOfPath", "contentsOfDirectory"] and
+    if arg.getExpr().getType().getUnderlyingType().getName() = ["URL", "NSURL"]
+    then isRemote = true
+    else isRemote = false
+  )
+}
+
+/**
+ * An imprecise flow source for an initializer call with a "contentsOf"
+ * argument that appears to be remote. For example:
+ * ```
+ * let myObject = MyClass(contentsOf: url)
+ * ```
+ */
+private class InitializerContentsOfRemoteSource extends RemoteFlowSource {
+  InitializerContentsOfRemoteSource() { contentsOfInitializer(this.asExpr(), true) }
+
+  override string getSourceType() { result = "contentsOf initializer" }
+}
+
+/**
+ * An imprecise flow source for an initializer call with a "contentsOf"
+ * argument that appears to be local. For example:
+ * ```
+ * let myObject = MyClass(contentsOfFile: "foo.txt")
+ * ```
+ */
+private class InitializerContentsOfLocalSource extends LocalFlowSource {
+  InitializerContentsOfLocalSource() { contentsOfInitializer(this.asExpr(), false) }
+
+  override string getSourceType() { result = "contentsOf initializer" }
+}

swift/ql/test/library-tests/dataflow/flowsources/custom.swift

@@ -0,0 +1,34 @@
+
+// --- stubs ---
+
+struct URL {
+	init?(string: String) {}
+}
+
+class MyClass {
+	init(contentsOfFile: String) { }
+	init(contentsOfFile: String?, options: [Int]) { }
+	init(contentsOf: URL, fileTypeHint: Int) { }
+
+	init(contentsOfPath: String) { }
+	init(contentsOfDirectory: String) { }
+
+	func append(contentsOf: String) { }
+	func appending(contentsOf: String) -> MyClass { return self }
+}
+
+// --- tests ---
+
+func testCustom() {
+	let url = URL(string: "http://example.com/")!
+
+	let x = MyClass(contentsOfFile: "foo.txt") // $ source=local
+	_ = MyClass(contentsOfFile: "foo.txt", options: []) // $ source=local
+	_ = MyClass(contentsOf: url, fileTypeHint: 1) // $ source=remote
+
+	_ = MyClass(contentsOfPath: "/foo/bar") // $ source=local
+	_ = MyClass(contentsOfDirectory: "/foo/bar") // $ source=local
+
+	x.append(contentsOf: "abcdef") // (not a flow source)
+	_ = x.appending(contentsOf: "abcdef") // (not a flow source)
+}